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If data security issues in a big data environment are considered, then the 
distribution of keys, their management, and the ability to transfer them 
between server users in a public channel will be one of the most critical 
issues that must consider on. In which the importance of keys management 
may outweigh the importance of the encryption algorithm strength. 
Therefore, this paper raised a new proposed scheme called authenticated key 
management scheme (AKMS) that works through two levels of security. 
First, to concerns how the user communicates with the server with 
preventing any attempt to penetrate senders/receivers. Second, to make the 
data sent vague by encrypting it, and unreadable by others except for the 
concerned receiver, thus the server function be limited only as a passageway 
for communication between the sender and receiver. In the presented work 
some concepts discussed related to analysis and evaluation as keys security, 
data security, public channel transmission, and security isolation inquiry 
which demonstrated the rich value that AKMS scheme carried. As well, 


AKMS scheme achieved very satisfactory results about computation cost, 
communication cost, and storage overhead which proved that AKMS 
scheme is appropriate, secure, and practical to use and protect the user's 
private data in big data environments. 
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1. INTRODUCTION 

The remarkable progress in the development of data production has made data processing difficult 
[1]. However, due to the rapid development in environmental technologies, the transmission of sensitive 
information through the internet has become easy using the new technologies that come under big data today 
[2], [3]. Where it became an important and modern topic racing towards researchers as a rich field of research 
areas and come out with the most prominent researches and thoughts and innovative ways to deal with the 
problem and cover its gaps [4]. Big data networks today occupy great importance through the offer of 
usefulness that can be seized by the user in a big data environment [5], [6] where the user can store his data 
in the cloud service and share it with others [7]. Also, companies and employees can get great convenience by 
using cloud computing as modern and exclusive technology that is considered as a big data environment. From this 
standpoint, it becomes clear the great importance of the security of this environment [8] and the preservation of 
the privacy of its users through full studies of the most prominent problems of this dilemma [9]. 

That create the need to find appropriate solutions that ensure privacy, credibility, and validation of 
the security that preserves the rights well [10], [11]. By considering how users are authenticated to ensure a 
more reliable connection, it encrypts and sends data to the other party to make it difficult for attacks to 
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penetrate. The power to do so depends heavily on how encryption keys are configured and managed well 
between users and how they are passed smoothly and securely [12]. From here, the successful management 
of keys is essential for the management of security keys for any encryption system [13], [14], once the 
inventory of keys, keys management consists of three steps as the first is key exchange, second is key 
storage, third is key use [15]. Where before any secured communication, users must set up the details of the 
cryptography. In some cases, because of the symmetric key system, it may require exchanging identical keys. 
In others, it may require possessing the other party's public key. While public keys can be openly exchanged. 
That what is known as key exchange. Then the keys must be stored securely to keep the connection safe from 
any unauthorized attempts to use these keys, which is known as key storage. Finally, key use refers to the 
major issue as the length of time a key is to be used, and therefore the frequency of replacement. 

The security of the keys used in the encryption system is directly reflected in the security of the 
system used [16]. where the keys and their security management are one of the most important factors that 
must be considered in the encryption and decryption processes and no direct relationship to the vulnerability 
of the system as a result of the key algorithm itself or the device used [17]. Moreover, the cryptographic 
system can be public if not for threats that could encounter sensitive user information in case if the key is lost 
or wrong [18], [19]. Some of the systems depend on third parties such as traditional internet style key 
exchange and key distribution protocols based on infrastructures were considered as unpractical for 
whopping scale because of the obscure network topology before deployment, communication range palaces, 
intermittent sensor-node operation, and network dynamics [20]. Thus, the key transfer over the network is the 
only practical solution and the appropriate option to store the key but the problem in how to protect the key 
during the transfer and keep it safe from any attempt to steal or lose during the transfer [21], [22]. 

Fan et al. [7] proposed a secure key management scheme deployed in big data environments to 
protect user data and privacy, where the keys are divided into three layers. In the layered structure, upper 
keys encrypt lower keys to guarantee the security of keys in their scheme, the server and others can know 
nothing of the user's key, and he has to remember the login password only. Their proposed reduced the 
encryption time, improved key exchange, and key distribution. The idea of this research went from this point, 
hoping to propose a scheme to ensure the safe transfer and management of these keys to protect user's 
privacy and data integrity. It protects users' data and privacy by managing the keys safely in a big data 
environment, emphasizing keeping efficiency, convenience, and security. The proposed states that there are 
two levels of security during the transfer the data and manage the keys among the server's users, one of 
which concerns how to communicate between the user and the server, as it ensures verification of a user 
during their communication and prevents any impersonation attempt of the character. The other is how to 
maintain the data securely from the server itself so that the concerned receiving user is the only one able to 
decrypt the data and read it. 

The remaining parts of this paper organized as follows: section two introduces the material and 
method that explain the proposed approach with a detailed explanation of the conception and its phases and 
give a detail of the system model with explaining the way for ciphertext sharing. Section 3 give an analysis 
and evaluation by discussing some of the important terms included as key security, data security, public 
channel transmission, and Security Isolation inquiry, and give a comparison with some other related work on 
the area of big data security, which concerns the term of computation cost, communication cost, and storage 
cost. Finally, in section 4, the conclusion and references are provided. 


2. MATERIAL AND METHOD 

In this section, authenticated key management scheme (AKMS) scheme formulated in four parts, 
first: explain the idea of AKMS scheme in a way that facilitates the continent to understand and know how it 
works, then go further to the conception of AKMS approach by introducing its three phases as registration 
phase, login and verification phase, and communication phase. Moreover, explain the detail of the system 
model in deep. Finally, present the ciphertext sharing to explain the procedures that AKMS take to work. 


2.1. Term and definition 

AKMS scheme depends on a several of phases which each have its own steps that include new 
symbols and parameters to perform the purpose, ensure the efficiency and work at the best manner. This 
section clarified that to facilitate the understanding on the readers. Table 1 illustrates a brief definition of 
AKMS scheme critical parameters that will be used. 


2.2. Work of AKMS solution 

The purpose of this research is to find an approach to manage the keys and transfer them between 
users in a secure way and ensures the confidentiality of data to solve the problem of data protection and 
privacy assurance. AKMS scheme provided for mimicking and managing keys between users in a big data 
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network in the cloud to ensure the security using Diffie-Hellman key exchange. In a way that ensures the 
safe transmission of data between the users involved in the transmission and the server and then receives data 
through the user concerned. Communicate between users and the server is by distinct keys that vary from 
user to user, which created in advance during the registration phase. That adds a double security power 
because of the already encrypted data that even the server itself does not understand, and no one can decrypt 
it except the user concerned with the reception that was be predefined by the sender. AKMS scheme consists 
of three main parts, cloud server, user, and client (browser). After the user registers, he encrypts the data 
before sending it using a random unique key and then use the agreed key between the user and server to send 
the encrypted data with the random key ciphertext. What distinguishes the work is that, if the attacker can 
break the message, it will not get more than the data encrypted vague and will not benefit from it. The power 
of the user registration phase integrated with the power of Diffie-Hellman key exchange and the random key 
generation is the core of AKMS scheme. Thus, provide complete protection of users' data during transferring, 
including the preservation of their privacy. In other words, an essential feature of AKMS scheme is the 
encryption process that the client-side already do. The file first will be encrypted by a randomly generated 
key related to the algorithm that will use for the encryption, then encrypt this randomly generated key using a 
secret shared key agreed between the sender and receiver, created by using Diffie-Hellman key exchange. 
The encrypted file with the encrypted random generated key created between the sender and receiver sends it 
to the server using the agreed key between the user and the server that predefined between them. Moreover, 
the cloud service provider knows nothing of the user's information and key. 


Table 1. Term and definition used by the AKMS scheme 


Term Definition 
ID User identity, the username of the registered user. 
Pw User's Password, which keeps safely on the user side. 
B Random private key created for each user on the server-side. 
MustKey Master key of the registered user, created on the server side. 
PrivA Private key of user A and it is required to establish a shared key between the 
sender user A and receiver. 
PubA Public key of user A and it is required to establish a shared key between the 
sender user A and receiver. 
g,P gis A primitive root modulo of P (offend called generator), and those are a 
well-known value agreed to beforehand. 
A,B Corresponding public keys. 
HO One-way hash function. 
Kas The agreed key between user A and the server. 
Kap The agreed key between the user A and user B. 
File The file that will be uploaded to the server to be available for the receiver to 
download it. 
fileKey A randomly generated key on the user side is used to encrypt the file before 
transferring. 


2.3. The conception of the AKMS solution 
2.3.1. Registration phase 

The registration phase is one of the most important stages that most systems rely on to protect the 
privacy of users and keep them safe. Through this phase, the user will be able to transfer his personal 
information as a username and password by performing some mathematical operations that will contribute to 
creating more robust security, and that will prevent any penetration during the registration process. It is worth 
mentioning that each user must choose a valid password (pw) and a unique username (ID). Figure 1 shows 
the dialogue of this phase: 


Algorithm: 
1.  User-A side - enter the user ID (JD,4) and Password (pw). 
ae Send ID, from user-A to server-side. 
pa server-side- Generate random b as a random number and calculate Mustkey=SHA2 (ID,| |b) . 
4. Send Mustkey from server to user-A side. 
5. User-A side- calculate PrivA=f (pw), pubA=pubA = g?™’4modP, and A = mustkey?“»4 , 
6. Send A from user-A to the server side. 
7. Server-side- Calculate B = mustkey + mustkey?, pubA = —24 _, 
log mustkey 
8. Server-side- store (ID, B, b, pubA). 
gy Do the same process to register all users. 
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Figure 1. Registration phase of AKMS scheme 


2.3.2. Login and verification phase 

Here, before starting transfer data, the user must log in to the server by entering the username-ID 
while keeping the password (pw) on the user side and send any of the other previously registered users-ID he 
wants to deal with him. The server checks the name of the user sent in his database and gets its random b and 
B. It also checks the name of the other user that wants to deal with as a receiver to get its public key. Finally, 
get the MustKey from the random b and send it along with B and pubB to the sender. The continue to get A 
value, secret key, and get its hash as a key between the sender and server. The user also performs some 
mathematical operations, such as uses the MustKey to extract the secret key that connects between him and 
the server. Here, the verification is successful only when this secret key and be equal to that got in the server, 
or they will not be able to communicate. As well the sender also uses the public key of the receiving user to 
extract the private secret key between them in complete secrecy, where even the server itself does not know. 
Figure 2 shows the dialogue of this phase: 


User-A Cloud server User-B 

| 
ID,, pw, IDa ID, [Dp 

| > 

Get B,bofuser-A 
MustKey= SHA-2(/D, | |b) 
MustKey, B, PubB Get PubB of user-B wn 
ia | a 
-i rad a 
PrivA=f(pw) 


Same 


PubA = g?"*4mod P 
A = MustKey?"»4 


S = (B — MustKey)??"4 S = (A+ MustKeyP“?4)b 


Kas = H(S) Kas = H(S) 


Figure 2. Login phase of the AKMS scheme 
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Algorithm: 

User-A side- inter user ID (JD,) password (pw), and receiver user ID (IDp). 

Send ID; and IDp from user-A to the server side. 

Server-side- get b and B value of ID; , as well as pubB of IDẹp. 

Calculate Mustkey=SHA-2(ID,||b). 

Send Mustkey, B, PubB from server to user-A side. 

User-A side — calculate privA= f(pw), pubA = g?™’4modP, S = (B — mustkey)??“P4, and Ky, = H(S). 
Server-side — calculate A= mustkey?“?4, S = (A » mustkey?™?4)?, and K4 s = H(S). 

Do the same process to authenticate the receiver user ID (JDg) and get its Key for the server. 


COD Pe 


2.3.3. Communication phase 

After the verification process that took place by the sending user to obtain two secret keys, one is 
related to his communication with the server, and the second is concerned with the sending user's interaction 
with the receiver user, which was agreed using Diffie-Hellman key exchange technology. The third stage, 
during which the user prepare the file to be sent and then encrypt it using a random key (filekey), where 
often determined in a way that is appropriate for the encryption algorithm that used, then the scheme will 
encrypt this key (filekey) using the private key which identified between the sender user and the concerned 
receiver user. Finally, the scheme will send that encrypted data and the encrypted key of (filekey) to the 
server using the private key between the user and the server itself. Figure 3 shows the dialogue of this phase: 


User-A Cloud server User-B 


F 


| 
Generate (fileKey) 
(file) fitexey 
Get Ky, = PubB?"'’4mod P 


(YM) puoxoy, Cilek CY aw eas (ile) packoy (FileKey)x4y)x 


> 
Kap = PubA?"'’® mod P 
Get fileKey 


Get file 


Figure 3. Communication phase of the AKMS scheme 


Algorithm 

1. User-A side- generate random (filekey), encrypt the original file by filekey Key, get the secret Key 
between the sender and receiver K4 g, encrypt filekey by K4 pg and encrypt both by K,,, key. 

Send ((file) siteney, filekey) x, p)xas from user-A to the server side. 

Server-side- get (file) fuekeyand(filekey)g, p then encrypt them again using Kg, 

Send ((file) sitexey, filekey) x, 5)kp,, from server to user-B side. 

User-B side- calculate the secret Key K4 g, get the file key, and finally get the original file. 


Sa Pe coe: 


2.4. Detail of system model 
2.4.1. Generate mustkey 

The generated random b in AKMS scheme considered one of the most important things that must 
generate for each user, where the server stores it for later use to get the master key and then by using the 
master key identifying the private key (K,,,) between it and the concerned user, often at the registration stage 
for any big data environment application that requires the user to enter a valid password and valid username 
(ID). In AKMS, the user will keep the password for himself and only send the username (ID). The scheme 
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generates the master key on the server side itself by obtaining a hash value, where hashing algorithm SHA-2 
combines the username (ID) with a random number (b) generated on the server-side. That helps to 
distinguish users in case if there are users with the same name [23]. 


2.4.2. Generate PrivA and PubA and K, pg 

AKMS scheme guarantees confidentiality in transferring keys between users in a confidential 
manner, which even the server itself cannot know. Where it generates a random key (fileKey) that it uses to 
encrypt the file before the transfer, the user also encrypts fileKey using the unified key created between him 
and the concerned receiving user, which will rely on Diffie-Hellman key exchange technology, that led by 
mathematical operations through which both the sender and the receiver can agree on a secret shared key 
(Kag), which is not sent directly [24]. For that reason, AKMS scheme generate two keys for each concerned 
user, One private (PrivA), and the other is public (PubA). The private key entirely dependent on the unshared 
password used by the sender, while the public key generates using the private key as indicated in (1) and (2), 
which are finally sent and stored on the server. 


PrivA = f (pw) a) 
pubA = g?"'’AmodP (2) 


On the other side, the receiver user takes the same steps using his password to generate his private 
and public key. By knowing each user, the public key of the other party, and through the use of 
Diffie-Hellman key exchange technology, the sender and receiver can generate a unified key through which 
they can communicate separately from the server. 


2.4.3. Generate a corresponding public key (A, B), and K,, 

It is known that the server would not be able to know any information about the sent data, where the 
data encrypted on the sender side, and no one able to decrypt it except the concerned receiving user using the 
secret shared key agreed between them. Moreover, AKMS scheme will add another level of data security to 
ensure that previously encrypted data will securely reach the server. From here comes the importance of 
getting a unique secret key agreed between the user and the server to use it during communication, where 
each user will have its own agreed secret key to deal with the server, which symbolized it for the user-A 
as Kas. This key is mainly obtained by A and B as a corresponding public key between the user and the 
server and can by using them calculate the right key, where the following formulas (3) to (6) shows how: 


A = g?™™!PmodP (3) 
B = mustkey + mustkey”, (4) 
S = (A * mustkey*)? = (B — mustkey)??“?4 (5) 
Kip,s = H(S) (6) 


2.4.4. Ciphertext sharing 

If user-A wanted to send a file to share with user-B, the scenario would be as follows, user-A logs in 
by entering his name and password and then entering user-B as the user concerned with receiving the file, 
user-A chooses the file to send, the server checks for the presence of user-B in its database, then sends the 
public key (PubB) of user-B, and get the master key of user-A himself (Mustkey — A), send both to the 
user-A side, the master key of user-A (Mustkey — A) is used to find the shared secret key between the user- 
A and the server (K4s). Moreover, the scheme generates a random key (filekey) complies with the 
encryption algorithm that used to encrypt the file in the user-A side, and by using the public key of user-B 
(PubB),the scheme will get the shared key that connects the two users (K4,) depending on the 
Diffie-Hellman key exchange technique. The random key encrypted by the user-A and user-B shared key 
(Kas), then the ciphertext file along with sharing filekey ciphertext will be sent to the server using (Ks) 
and store it there. On the other side, user-B do the same steps to log in and then get his own (K,,), and 
(Ka s). user-B downloads the storage file and the sharing filekey ciphertext from the server using (Kgs) that 
connect between them. Then uses (K,,) to decrypt the sharing filekey ciphertext, then by using the 
obtained (filekey), user-B can get the file which user-A shared. 
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3. RESULT AND DISCUSSION 
3.1. Analysis and evaluation 
3.1.1. Keys security 

AKMS scheme depend on the indirectly transferring keys using mathematical formulas that make it 
very difficult for attackers to break. As well, it careful not to send any values that might be a reason to reach 
the main keys, so all the sent values that the attacker may obtain have no meaning or benefit. As observed on 
the registration and login phases, AKMS provides zero-knowledge security by using the unify key K = H(S), 
which is the hash result calculated in both sides based on some other mathematical formulae as (7), (8): 


S = (A * mustkey?)4)? (7) 
S = (B — mustkey)??“?4 (8) 


where to get both equations, hackers need the value of PubA, which is never shared. Moreover, the value 
PubID is dependent on the value of PrivA that directly depends on the password of the user himself. That 
ensures that no user will be able to get the correct key to connect the server unless he shows the correct 
password used during his registration phase and never shared. Thus, any impersonation attempt also fails. 
Concerning the communication phase to transfer the file, the AKMS scheme encrypt the file using a 
generated random encryption key (filekey) that is compatible with the encryption algorithm used. Then 
encrypt this key to get sharing filekey ciphertext in a way that only the concerned receiving user be able to 
break it using Diffie-Hellman key exchange technique, which has proven its security worth in advance. In 
this way, what will reach the server is the encrypted file along with sharing filekey ciphertext. It will be 
delivered in the same manner to the concerned receiving user without decrypting them. 


3.1.2. Data security 

In general, AKMS scheme designed to ensure the confidentiality of data and to preserve the security 
and privacy. It guarantees duple security by using two-level, first is between the user and the server, second 
between the sending user and his counterpart user who concerned to receive data. Moreover, the scheme 
encrypts the file before sending it using filekey generated random key, then sends and upload that to the 
server to store. Only the user himself can decrypt the file, and what will send is useless information, even the 
server cannot understand it. Therefore, the user will encrypt the generated random filekey by using a shared 
key between him and the concerned receiving user, using Diffie-Hellman key exchange technique to transfer 
the key to the receiver secretly. Thus, maintain and guarantee the preservation of security and protection of 
data. 


3.1.3. Public channel transmission 

AKMS scheme provides a double level of security, the first of which is at the user and server, and 
the other between the sending user and the concerned receiving user. The shared keys on the first level of 
security are reached in a complex and indirect way, as each user has his unshared password, thus will 
distinguish him from others and protect him against an impersonation attempt even on his side or on the 
server-side. Moreover, user data will be sent in its ciphertext format, using a random key (filekey), which is 
generated each time in a way that is compatible with the encryption algorithm used. Finally, get the sharing 
filekey ciphertext, and only the concerned receiving user can break it using the Diffie-Hellman key 
exchange technique. Thus, even if the big data environment channel attacked, it will become difficult for the 
attacker to break the ciphertext data transferred between the user and the server, since the user is the only one 
who can configure the correct key between him and the server, and if any can break it, will only find a 
ciphertext data that does no benefit. 


3.1.4. Security Isolation inquiry 

The benefit of a cloud server is in the communication phase to store the ciphertext of users' data and 
keys in the whole process. The scheme transfers the data in a ciphertext from which no one other than the 
concerned user can understand it. Also, the server maintains the data security protection through its 
transferring as well as ensures a strict registration and login stages that difficult to break. Means, the server's 
function will remain to pass only, and no more than checking the truth of the users and managing the keys 
between them. Thus, the data stored on the cloud be isolated from the server. 


3.1.5. Security features 


The security analysis of AKMS proved the strength of the approach to face most of the common 
attacks through a powerful and strict way to enable the user to register himself in the server in a more robust 
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secure manner, allow him to get its key to communicating with the server over the untrusted channel. 
Table 2 shows and summarizes some of the security features of the AKMS scheme. 


Table 2. Security features of the AKMS scheme 


Attacks Avoided 
Password guessing attack Yes 
Replay attack Yes 
Man in the middle attack Yes 
Brute-force attack Yes 
Dictionary attack Yes 
Insider attack Yes 
Impersonation attack Yes 
User anonymity attack Yes 


3.2. Performance analysis 

In this section, the efficiency of AKMS demonstrated with compared to some of the related works 
concerns to big data security, as this be through a discussion of performance analysis by computing the cost 
of computation, communication, and storage overhead. The meaning of notations used in the comparison is 
given in Table 3. 


Table 3. The Notation used in computation cost comparison 


Symbols Notation for 
Ty Hash function 
Tr Exponential operation 
Ts Symmetric key encryption/decryption 


3.2.1. Computation cost 

Table 4 shows the results of the computation cost for AKMS scheme and the works related static 
knowledge-based authentication mechanism (SKAM) [6], A token-based authentication security (TASS) 
[25], and A novel authentication framework for Hadoop (NAFH) [23] as well as give a relative comparison 
regarding the registration phase, Table 5 will do the same for both the login and communication phases. 


Table 4. The computation cost of the registration phase 
AKMS (The Proposed) SKAM TASS NAFH 
2Ty + Te 2Ts+3Ty+Tg 2Ty+Te 415 +Ty 


Table 5. The computation cost of login and communication 
AKMS (The Proposed) SKAM TASS NAFH 
375 + Ty + Te 87, +2Ty 57s +6Ty+5Tg 21T; 


The total computation cost of the registration phase that represents the user and server is 
2T y + Tg. It is considered a somewhat good value because this phase will run only once for a single user 
during his registration to the server. In contrast, the total computation cost of login and communication 
phases for the user and server is 3Ts + T y + Tg. It is considered more efficient compared to the related 
works compared with due to the symbols. 


3.2.2. Communication cost 

The communication cost is usually calculated for measuring the efficiency of login and verification 
phases, as it is frequently executing than other phases. The following values suggested as the basis from 
which the values of the concerned terms calculated. Where the identity ID, password pw, salt, secret one-way 
hash function, visualization function, ticket, related message as answers all recommended imposed to being 
128-bits long, while the random number, sentences, and the encrypted session key all 1024-bits long, other 
value as the timestamp is of 32-bits long. 

In AKMS scheme, the communication overhead is 3872=(5*160+3* 1024). As noted, it is better as 
compared to other related works. Table 6 shows the communication cost for AKMS scheme and other related 
works such SKAM [6], TASS [25], and NAFH [23], calculated in the same way and assuming that the same 
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variables in each of them have the same values. Table 6 are graphically drawn in Figure 4 to clearly show the 


different communication cost of each work measured in bits. 


Communication cost of login and 
communication Phases 
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Figure 4. Communication cost of login and communication phase 


Table 6. Communication cost of login and communication 
AKMS (The Proposed) SKAM TASS NAFH 
3872 5376 9280 6912 


3.2.3. Storage overhead: 

AKMS scheme works by registering some of the user values that the server maintains in its 
database, then using that in the future to verify the user in the logging phases. It stores (ID, B, b, Pub;p) in 
the server database, thus the maximum storage cost is 2368 (2*160 + 2*1024) bits. Table 7 provides the 
comparison results of AKMS scheme over the related works SKAM [6], TASS [25], and NAFH [23], and 
shows that the storage cost of AKMS is relatively reasonable and may become less if the keys used are 
reduced and made smaller. Table 7 are graphically drawn in Figure 5 to clearly show the different storage 
cost of each work measured in bits. 


Table 7. Storage cost of registration phases 
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Figure 5. Storage overhead 
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4. CONCLUSION 

This paper covered an authenticated key management scheme for securing big data environment 
(AKMS) to protect users’ data and privacy by managing the keys safely in a big data environment with an 
emphasis on keeping efficient, convenient, and secure. AKMS scheme works through two levels of security. 
First, concerns to how the user communicates with the server in a way that prevents any attempt to penetrate 
the user who sent/receive the data. Second, to make the data sent vague that no one can read except for the 
concerned user. It starts from the users’ registration phase on the server where a common unique key for each 
user is reached to communicate with the server that entirely depends on the password, in which any 
communication between them takes place depending only on this key. Second, AKMS encrypts the data to be 
sent before the transfer process using a chosen random encryption key (filekey) in proportion to the used 
encryption algorithm. Then encrypts this key also to get the sharing filekey ciphertext using the shared key 
between it and the concerned receiving user, which will be accessed by both parties using Diffie-Hellman 
key exchange technology. AKMS ensured that any data sent will not be penetrated by any of the users, 
including the server. Thus, provides complete protection of users' data during transferring, including the 
preservation of their privacy. Moreover, this paper discussed some concepts related to analysis and 
evaluation as keys security, data security, public channel transmission, and security Isolation inquiry in 
which demonstrated the rich value that AKMS scheme carried. As well, AKMS achieved very satisfactory 
results about computation cost, communication cost, and storage overhead. 
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